Modern field guide to security and privacy

Who should take the fall after a corporate hack? It may soon be the CEO

A survey of 200 public companies shows that corporate boards are becoming more concerned about cybersecurity and are willing to hold top executives accountable for data breaches.

After the December 2013 Target data breach, the only top executive to publicly pay a price for the incident was Chief Information Officer Beth Jacobs. CEO Gregg Steinhafel quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.

Data breaches can cost companies hundreds of millions of dollars, erode shareholder value, and indelibly tarnish corporate reputations. Yet, chief executives and other top brass at organizations that suffer such incidents have remained largely immune from the fallout.

That may be changing.

A new survey of 200 directors of public companies conducted by security firm Veracode and the New York Stock Exchange Governance Services shows that corporate boards have become much more serious about data breaches and are willing to hold top executives accountable for them.

More than four in 10 of the directors in the survey felt that a company’s chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.

Chief information security officers, often the fall guys in a data breach situation, ranked fourth in the list – suggesting that directors get it that security executives can do only as well as the support and the resources they get from top management.

Security has also become a growing priority for boards. In fact, 81 percent of the directors in the survey said information security matters have become a topic for discussion at most or every board meeting. Still, two-thirds professed being uncertain of their company’s ability to avert a data breach, while more than 70 percent said they were significantly concerned about security risk from third-party software in the supply chain.

The numbers reflect a major shift in attitudes toward cybersecurity within corporate boards. Until the recent spate of mega breaches at Target, Sony, Home Depot, Anthem, and elsewhere, information security was hardly, if ever, a top item on the corporate risk-management agenda.

"Legal, regulatory, shareholder, and professional bodies are increasingly charging board members to become more accountable for this area of risk,” said Martin Whitworth, an analyst at Forrester Research.

“Whilst this attention can only be a positive thing, it has to be balanced by the lack of confidence expressed by these same board directors in their companies ability to properly mitigate against cyberrisk,” he added.

The report shows boards need help in understanding the level of risk they face and the available options for dealing with them, Mr. Whitworth said.

Board members and chief executives have generally tended to view cybersecurity as a tactical mission best handled by the technology group. Accountability has been rare, and often restricted to the executives directly in charge of the security or technology function.

When Target suffered its massive data breach, the only top executive to pay a price for the incident, at least publicly, was Chief Information Officer Beth Jacobs. The CEO, Gregg Steinhafel, quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.

The same was true in previous incidents: When someone has been held accountable after a data breach, it was usually from the technology side. In 2012, when hackers broke into a Medicaid server at the Utah Department of Health and accessed some 24,000 records containing sensitive data, it was the executive director of the state’s department of technology services who had to quit. In 2014, the Maricopa County Community College District in Arizona fired the longtime director of its information technology department for a breach that exposed Social Security Numbers and other sensitive information on more than two million people.

But growing concerns about brand damage, loss of intellectual property, and financial losses have changed how corporate boards view data breaches, says Chris Wysopal, chief technology officer of Veracode. Many appear willing to spread the blame around more evenly, he said.

“One of the key takeaways here is that they see the CEO as the one that is ultimately responsible” for cybersecurity, Mr. Wysopal said. “As breaches have gotten bigger and bigger [corporate] boards are beginning to see that security is ultimately not an IT problem relegated to a technology specialty but a much more broad based problem.”

Liability concerns may be another factor driving the change of heart within corporate boards. Big breaches often spawn lawsuits from consumers, banks, and other affected parties. Target, Home Depot, and Anthem, for instance, were all hit with literally dozens of lawsuits in the aftermath of their breach disclosures. Typically, such lawsuits tend to get consolidated and then later dismissed by the courts or settled for relatively modest sums. 

But some of the lawsuits have started raising thorny questions for companies. Last December, a Minnesota federal court ruled that Target could be sued for negligence because it failed to heed warnings about the breach from a security alerting system. Some have said the ruling could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches.

In May 2014, Institutional Shareholder Services, a company that advises shareholders on governance risk issues called on Target shareholders to vote against seven of the 10 directors belonging to the company’s Audit and Corporate Responsibility Committee for failing to provide enough risk oversight. Though all of the directors were reelected at the company’s shareholder meeting last June, the incident should put companies on notice: Some stakeholders may have started running out of patience with corporate boards' attitudes toward cybersecurity, too.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Who should take the fall after a corporate hack? It may soon be the CEO
Read this article in
QR Code to Subscription page
Start your subscription today